Prismo
Prismo / INTELLIGENCE PLATFORM
Local-first, single-binary, all-source intelligence platform.
Go backend · Svelte frontend · SQLite · Any AI (Ollama, Claude, GPT, Groq, Mistral, DeepSeek, OpenRouter, Gemini, or compatible) · Maltego-style transform graph
Free project — no payment required. Everything works with free APIs; any API keys in Settings are optional (your choice). We prefer free alternatives; paid APIs are only used if you add your own key. See docs/FREE_APIS.md and docs/PAID_AND_MAINTAINED_SOURCES.md.
AI is optional. You can use Prismo with zero AI configured. See Modes below and docs/AI_OPTIONAL.md. First time? docs/GETTING_STARTED.md — glossary, quick start, troubleshooting.
Modes: what you can do without AI vs with AI
| Mode | What works |
|---|---|
| No AI (default) | Cases (create, open, delete). Entities and graph (add IP, domain, email, wallet, URL, person, query, etc.; add/delete relationships; layouts; export PNG/SVG/GraphML). All non-AI transforms: OSINT (IP, domain, email, username), DARKINT (Ahmia), CYBINT/threat (VirusTotal, ThreatCrowd, URLhaus, PhishTank), FININT (wallet, sanctions), GEOINT (geocode, reverse), TECHINT (InternetDB, Shodan), SOCMINT (21-platform search), HUMINT (source reports), NEWS (RSS), Wayback, VIN lookup, Dork Builder, fetch/crawl. Dashboard, timeline, map. Export case JSON; report MD (plain summary when AI not set). Settings (API keys for VT, Shodan, etc.). |
| With AI (optional) | Everything above, plus: MEMEINT (narrative analysis), AI-INT (entity extraction from text), AI Analyze (content + context), AI Fuse (cross-correlate intel), AI Report (brief/detailed/TLP report). Configure in Settings: Ollama (local, no key) or any supported provider. |
So: full intel workflow (case → entities → transforms → graph → export) works in no-AI mode. AI only adds analysis, fusion, report generation, and entity extraction from free text.
Use tools your way. Run individual transforms and intel actions when you want (graph, case view); use automated workflows (templates, batch) only when you want. See docs/USER_CHOICE.md.
Vision: The roadmap’s centerpiece is an AI Copilot that answers questions like "Find me everything suspicious about this domain" with a synthesized answer and evidence—the feature that can make Prismo the most powerful free intelligence platform. See docs/AI_COPILOT_VISION.md.
Responsible use. Prismo is for legitimate research, threat intelligence, due diligence, and authorized investigations only. Do not use it for stalking, harassment, doxxing, or any unlawful or unethical purpose. You are responsible for complying with applicable laws and terms of service of data sources. See docs/COMPLIANCE_AND_RESPONSIBLE_USE.md.
Stack
| Layer | Tech |
|---|---|
| Backend | Go 1.22+ (single static binary) |
| Frontend | Svelte 5 + Vite |
| Graph | Cytoscape.js (multiple layouts) |
| Database | SQLite (modernc.org/sqlite) |
| AI | Ollama, Anthropic (Claude), OpenAI (GPT), Groq, Mistral, Together, xAI (Grok), DeepSeek, OpenRouter, Fireworks AI, Anyscale, Lepton, Google (Gemini), Cohere, Azure OpenAI, or any OpenAI-compatible API (LocalAI, LiteLLM, vLLM, etc.) |
Features
- OSINT: IP — ip-api (geolocation, ISP, org, ASN), IPInfo, AbuseIPDB (reputation); domain — WHOIS via RDAP first then whoisjson, DNS (A, MX, NS, TXT), HackerTarget host search (parsed host→ip list), crt.sh (subdomains), URLScan.io (scan history); email — HIBP (breaches), Hunter.io (verification; optional key); username — 70+ platforms (GitHub, GitLab, Twitter, Reddit, HN, Instagram, TikTok, Steam, Keybase, Telegram, LinkedIn, Mastodon, Pinterest, Vimeo, Twitch, Medium, Dev.to, Codepen, …), Reddit enrichment (karma, creation date, verified). All sources run in parallel; combined summary per lookup (location, org, abuse score; registrar, ns_count, subdomain_count; pwned, hunter status; platforms_found).
- DARKINT: Ahmia onion search (use in Tor for full results)
- HUMINT: Structured source report entry — Subject/Who, Date, Source type, Location, Contact method, What (summary), Assessment, Follow-up actions, Reliability (A–F), Tags; saved to case intel log
- CYBINT / Threat: IP — VirusTotal, ThreatCrowd (free), URLhaus host (optional Abuse.ch key). Domain — VT, ThreatCrowd, URLhaus. Hash — VirusTotal, MalwareBazaar (optional Abuse.ch key). URL — PhishTank (optional app key), URLhaus. Combined summary (malicious count, detections, in_phish_database, urlhaus_threat). Graph: related IOCs from ThreatCrowd (resolutions, subdomains, hashes, emails).
- FININT: Wallet lookup — Bitcoin (blockchain.info: balance_btc, tx_count, up to 25 txs) and Ethereum (Etherscan: balance_eth, tx_count, up to 25 txs) in parallel; combined summary (balance_btc, balance_eth, tx_count_btc, tx_count_eth, counterparties list); graph: sent_to and received_from edges (BTC inputs/out, ETH from/to). Sanctions — OpenSanctions (persons, orgs, entities); entity type and dataset/source in graph nodes.
- GEOINT: Nominatim geocoding + reverse geocode (lat,lon → address)
- TECHINT: Port/service scan — InternetDB (free, no key) always for IPs; Shodan full API (with key in Settings) for detailed banners; combined result with hostname extraction, open_ports, and services summary
- Person / identity lookup: person entity (name) runs SOCMINT, sanctions (OpenSanctions), Wikidata, Wikipedia, court (CourtListener), company (OpenCorporates, SEC EDGAR, Companies House), news (GDELT), academic (Semantic Scholar, PubMed, CrossRef). username entity runs 70+ profile checks + SOCMINT + Bluesky profile. See docs/PERSON_LOOKUP.md.
- SOCMINT: Multi-platform search (21+ sources, no API keys): Reddit, Hacker News, GitHub, Stack Overflow, GitLab, Bitbucket, Codeberg, Dev.to, Medium, Wikipedia, Mastodon (3 instances), Bluesky, Nitter (Twitter), npm, PyPI, Docker Hub, ArXiv, Lobste.rs, Packagist, Crates.io, RubyGems, Hashnode — all searched simultaneously via SocialSearchAll
- NEWS: Multi-source news search (no API key): Google News RSS US/UK, Bing News RSS, Reddit r/news and r/worldnews; per article: title, link, pub_date, source, source_url, description, snippet
- MEMEINT: AI narrative/influence analysis (requires AI)
- AI-INT: Entity extraction from text (persons, orgs, locations, domains, IPs, emails, wallets) → suggest graph nodes (requires AI)
- AI Fusion: cross-correlate all case intel (requires AI)
- AI Reports: brief / detailed / TLP:WHITE (requires AI); export report (MD) and case (JSON); report is plain summary when AI not set
- Transform graph: Maltego-style — add entities (ip, domain, wallet, hash, url, coords, query…), run transforms (OSINT, threat, sanctions, geocode, DARKINT, SOCMINT, etc.), optional layouts (force, circle, grid, tree, concentric). Relationships (edges): add (source, target, type, confidence 0–1), delete by id. Relationship types: related_to, met_with, reported_to, works_with, communicates_with, located_at, owns, uses, associated_with; employed_by, member_of, family_of, contacted; sent_to, received_from, hosted_by, links_to, located_in; resolves_to, subdomain_of, open_port, crawled, geocodes_to; sanctions_match, reported_by, verified_by, isp.
GET /api/relationship-typesreturns the full list. - Dork Builder: Build Google-dork style queries from fields (site, filetype, intitle, inurl, intext) or paste a raw dork; templates; open in Google, DuckDuckGo, Bing, Startpage, Yandex, Qwant, Ecosia. See docs/DORK_BUILDER_AND_SEARCH_ENGINES.md.
- Case management: SQLite persistence, no cloud
Build and run (do this every time)
The UI is embedded into the binary at build time. If you run ./prismo without building first, or build only the backend, the app will show a blank page or fail to start.
cd /path/to/prismo
make all
./prismo
Then open http://localhost:3456 (or http://<this-machine-ip>:3456 from another device). Data is stored in prismo.db in the current directory. Optional: Route all outbound API traffic through Tor or another proxy via Settings → proxy_url (e.g. socks5h://127.0.0.1:9050 for Tor). See docs/GETTING_STARTED.md §3.1.
make all= build frontend (intofrontend/dist) then build Go binary (embeds that dist). Required before first run and after any frontend changes.- Frontend-only change? Run
make allagain so the new dist is re-embedded. - If the server panics with "frontend not embedded", you ran the binary from the wrong place or didn’t run
make all. - Alternative:
./build.shdoes the same (frontend build +go build -ldflags="-s -w").
Dev
make dev-backend # Terminal 1 (optional: ENV=development for CORS from Vite)
make dev-frontend # Terminal 2 — http://localhost:5173, proxies /api to 3456
With ENV=development, the backend allows CORS from http://localhost:5173 so the Vite dev server can call the API when both run separately. The Vite proxy already forwards /api to the backend, so CORS is only needed if you hit the backend from another origin.
AI provider (Settings)
Use any AI for analysis, fusion, and reports:
- Ollama (local) — no API key; set endpoint (e.g.
http://localhost:11434) and model (e.g.llama2). - Anthropic (Claude) — set API key and model.
- OpenAI (GPT) — set API key and model.
- Groq — fast inference (Llama, Mixtral); endpoint
https://api.groq.com/openai, API key required. - Mistral AI — endpoint
https://api.mistral.ai/v1, API key required. - Together AI — endpoint
https://api.together.xyz/v1, API key required. - xAI (Grok) — endpoint
https://api.x.ai/v1, API key required. - DeepSeek — endpoint
https://api.deepseek.com, API key required (OpenAI-compatible). - OpenRouter — endpoint
https://openrouter.ai/api/v1, one key for many models (OpenAI-compatible). - Fireworks AI — endpoint
https://api.fireworks.ai/inference/v1, API key required. - Anyscale Endpoints — endpoint
https://api.endpoints.anyscale.com/v1, API key required. - Lepton — endpoint
https://api.lepton.run, API key required (OpenAI-compatible). - Google (Gemini) — use an OpenAI-compatible gateway (e.g. LiteLLM) or set endpoint + API key.
- Cohere — use an OpenAI-compatible gateway (e.g. LiteLLM) or set endpoint + API key.
- Azure OpenAI — set your Azure resource endpoint (e.g.
https://xxx.openai.azure.com), API key required. - OpenAI-compatible — any API that speaks OpenAI chat completions (LocalAI, LiteLLM, vLLM, etc.): set base URL, optional API key, and model.
Settings: AI provider, Endpoint, Model, API key (not needed for Ollama). Stored in prismo.db. Legacy anthropic_api_key still works if no ai_provider is set.
Export
- Download report: Case view → generate report → "DOWNLOAD REPORT" (MD or TXT; AI-generated when configured, else plain intel summary).
- Export case: "EXPORT CASE" (JSON: case, entities, relationships, intel_results with ai_summary).
Graph
Open a case → GRAPH. Add entity, select node, run transform (e.g. OSINT IP). Switch layout: Force, Circle, Grid, Tree, Concentric.
Docs at a glance
- Modes (no AI vs with AI): see Modes section above and docs/AI_OPTIONAL.md
- What’s actually implemented vs roadmap: docs/IMPLEMENTED_VS_ROADMAP.md
- How Prismo compares to other OSINT tools (IP, domain, email): docs/OSINT_COMPARISON.md
- First run / glossary / troubleshooting: docs/GETTING_STARTED.md
- What works without AI (full list): docs/AI_OPTIONAL.md
- Looking up a person: docs/PERSON_LOOKUP.md — which entity types (person, username, email, phone), which transforms to run, and how the graph ties them together.
- Other public sources not yet in Prismo: docs/OTHER_PUBLIC_SOURCES.md — threat (OTX, CVE), court (CourtListener), company (SEC EDGAR, Companies House), transport (ADS-B, vessels), academic, paste/leak, DNS; free vs key; how to add.
- Government / open data / geospatial (link-out): docs/LINKOUT_GOVERNMENT_GEOSPATIAL.md — data.gov, FOIA, USGS, Sentinel Hub, PACER, state courts, EU e-Justice; for manual research or future integration.
- Gaps & optional work: docs/MISSING_OR_OPTIONAL.md — unimplemented or optional items (e.g. OnionLand in UI, “Add to graph” from AI extract, OpenSanctions key, map panel).
